In the example above, the ".password" field is the hashed password. I think 'tlrobinson' was trying to point out that sites only have to keep plaintext passwords if that's what they're given. If, when you first signed up for a site that uses tlrobinson's technique, you provided the hash of your password (instead of your password itself), then the site would never have access to the plaintext (but you'd be able to use the plaintext to log on at a later date since the SQL query checks the ".password" field against hash(input).)
Yes, close, but not exactly what I meant. The password would still be provided in plaintext upon registration, but the application would immediately hash and store it. Then the user can login with their password, which gets hashed and compared to the hashed password in the database. Alternatively the hash can be handed over if required and also used as the password since we also compare the unhashed input to the hashed stored password.
reply